Skip to content

Virtual Appliance Setup

LogSentinel SIEM can be installed as a virtual appliance on any hypervisor that supports OVA/OVF, including VMWare ESX, Microsoft Hyper-V, Oracle VirtualBox, Citrix XenServer and more.

The virtual appliance is provided by the LogSentinel team and is automatically configured after deployment via the hypervisor. After the initial configuration, the appliance shows the URL that LogSentinel SIEM is accessible from.

The SIEM can be configured further by logging into the appliance using root/logsentinel (the system then requests the password to be changed immediately). All necessary properties can be changed in /var/logsentinel/app.properties .

Through those properties multiple appliances can be run in a cluster. For running in a cluster, seek support from a LogSentinel partner/integrator or contact us directly.

IP assignment

If DHCP is enabled, the appliance gets the IP address automatically.

If no DHCP is available, the relevant details (IP, mask, gateway and DNS) can be specified on the first run when prompted.

Network access

In order to have all functionalities available, the network access following URLs need to be accessible from the SIEM machine(s):

  • https://s3-eu-west-1.amazonaws.com/ (used to download the latest collector binaries)
  • All threat feeds (URLs are available in the Management -> Threat Feeds menu.
  • https://api.logsentinel.com/ (optional, for license checks)

Threat feeds

In order to have access to the built-in threat feeds, the following properties should be configured in app.properties

Storage

Storage sizing is described here. If you need a more granular storage setup for the appliance, the following directories store the data the grows in size:

  • /var/lib/elasticsearch/
  • /tmp/kafka-logs/
  • /var/lib/cassandra/

Updates

Updates, including new reports, rules, saved searches, are distributed in a single, self-contained jar file that has to be copied to /var/logsentinel/logsentinel.jar on each deployment of the LogSentinel SIEM appliance. After the jar is placed, the service should be restarted (sudo service logsentinel restart). In highly-available clusters make sure that nodes are not restarted simultaneously in order to avoid downtime.